go-webrtc
go-webrtc copied to clipboard
Make stack non-executable
Fixes a bug where go programs that rely on this library have executable stacks.
In order to build this library with these ld flags, the environment variable CGO_LDFLAGS_ALLOW must be set to a regex that will accept the -z flag. The value "-z|noexecstack" is sufficient. Otherwise the build will fail with the message "invalid flag in #cgo LDFLAGS". This is due to the whitelisting of allowed flags for security purposes.
For context: https://trac.torproject.org/projects/tor/ticket/30451
We're going to have to set CGO_LDFLAGS_ALLOW="-z|noexecstack"
for CI to pass.
Hrm, okay this actually just seems like a linux problem. I'm going to make a go-webrtc patch for linux for the rbm Tor Browser builds that patches this issue.
However, I think that the executable stack problem in linux is more generally worrying. Any go program that uses this library will have an executable stack, which is something we want to fix.
Okay, updated the CGO directives to be platform specific, and CI passes now. I talked to GeKo and they said they'd prefer this to be fixed upstream rather than handled with a patch in tor-browser-build.
Maybe the way to handle this is to get CGO_LDFLAGS_ALLOW
and CGO_LDFLAGS
in build.sh, and rebuild the precompiled libraries? I imagine that's what most downstream users other than Tor Browser are using.